How do I use sessions to protect my pages?

make a db called login and a table in it called users add two fields, one name and second pass, add your users in there, don't forget to use the function password for your pass field.....

index.php

<?php

session_start();
//starts the session
if (isset($HTTP_POST_VARS['userid']) && isset($HTTP_POST_VARS['password']))
{
//if the user just tried to log in than
//it will connect to db and will check if the user is in your table

$userid = $HTTP_POST_VARS['userid'];
$password = $HTTP_POST_VARS['password'];

$db = mysql_connect('localhost','root','yourpassword');

mysql_select_db('login',$db);

$query = "select * from `users` where name='$userid' and pass=password('$password')";

$result = mysql_query($query,$db);

$usercheck = mysql_num_rows($result);

//if the user matches than it registers
//the session as valid_user and the user's name or their login name

if ($usercheck == 1)
{
$HTTP_SESSION_VARS['valid_user'] = $userid;
} else
{
echo "Your username or password didn't match.";
}
}
?>
<html>
<head>
<title>
<?php
//if the session is registered than it will
//write the user's name in the title bar or will ask to log in

if (isset($HTTP_SESSION_VARS['valid_user']))
{
echo "You are logged in as: ". $HTTP_SESSION_VARS['valid_user'];
}
else
{
echo "Log in please";
}
?>
</title>
</head>
<body bgcolor=lightblue text=darkblue>
<h1>Main Page</h1>
<?php
//it checks if the session variable valid_user exists
//if it does than it prints what you like
if (isset($HTTP_SESSION_VARS['valid_user']))
{
echo "You are logged in as: ". $HTTP_SESSION_VARS['valid_user'];
echo "<br><br>";
//put your stuff here
echo "<a href='logout.php'>Log Out</a><br>";

}
else
{

//if the variable userid exists and the user
//wasn't displayed the page above
//it indicates that they did not match in the database

if (isset($userid))

{
echo "Could not log you in, You are not authorised to view this page";
exit;
}

//if any of the above variable does not exist
//than the user just to the page, so show them the page

echo "<form method='post' action='index.php'>";
echo "<table>";
echo "<tr><td>Name </td>";
echo "<td><input type='text' name='userid'></td></tr>";
echo "<tr><td>Password</td>";
echo "<td><input type='password' name='password'></td></tr>";
echo "<tr><td colspan='2' align='center'>";
echo "<input type='submit' value='Log in'></td></tr>";
echo "</table></form>";

}
?>
<br>
</body>
</html>
//and that's it...than comes the logout.php

logout.php
<?php
session_start();
//starts the session
?>
<html>
<head>
<title>
<?php
//the same function as above, the user's logon name, else saying
if (isset($HTTP_SESSION_VARS['valid_user']))
{
echo "You were logged in as: ". $HTTP_SESSION_VARS['valid_user'];
}
else
{
echo "Your did not log in....";
}
?>
</title>
</head>
<body bgcolor=lightblue text=darkblue>
<h1>Log Out Page</h1>
<?php

$old_user = $HTTP_SESSION_VARS['valid_user'];

unset($HTTP_SESSION_VARS['valid_user']);

session_destroy();

if (!empty($old_user))
{
echo "<br>logged out successfully<br>";
}
else
{
echo "<br><b><font color='red'>You did not log in so you are not logged out</font></b><br>";
}
?>

<a href='index.php'> back to main page</a>
</body>
</html>

this is it, now you put the below statment in every page you only want your friends or registered users to see, add the page link to your index.php page, so if teh user hasn't log in than it will show it the unathorized page not the page you only wnat your users to see....

//put this in every page you want only your users to see

if isset($HTTP_SESSION_VARS['valid_user'])
{
//then your page that you want only users to see
}
{
//unuthorization page here
}

thank you..
Parth